On 01/19/2014 04:06 PM, Kevin Olbrich wrote:
I did not know about grsecurity. Thanks for the hint. After some quick browsing
it seemed it works like the windows code execution protection. I will try to
compile the kernel with this patch like you did.
Linux is the most secure OS IMHO - distributing this patch in debian would be
great I think (as soon as all apps are compatible).
Greetings,
I just decided to try this out the other day on my Wheezy 7.3 install.
It wasn't that painful and I haven't noticed any performance impact or
misbehaving (read: broken) programs, at least not yet. Then again, I
haven't done real benchmarks.
It appears that this patch is available in the apt repos under the
"kernel" section (sensibly enough) as:
linux-patch-grsecurity2
Once it's downloaded, it patches the kernel in an automated fashion and
doesn't force a reboot (although I believe you still need one to make it
effective, I suppose).
That said, since it's a kernel patch, /caveat emptor/... your mileage
may vary. And maybe some prefer to customize the options for the patch
being applied. ;)
Cheers,
Andrew